Types of mac address table entries, Mac address table-based frame forwarding, Configuring the mac address table – H3C Technologies H3C SecBlade NetStream Cards User Manual
Page 124
109
You can manually add MAC address entries to the MAC address table of the device to bind specific user
devices to the port. Because manually configured entries have higher priority than dynamically learned
ones, this prevents hackers from stealing data using forged MAC addresses.
Types of MAC address table entries
A MAC address table can contain the following types of entries:
•
Static entries, which are manually added and never age out.
•
Dynamic entries, which can be manually added or dynamically learned and may age out.
•
Blackhole entries, which are manually configured and never age out. Blackhole entries are
configured for filtering out frames with specific destination MAC addresses. For example, to block
all packets destined for a specific user for security concerns, you can configure the MAC address of
this user as a destination blackhole MAC address entry.
To adapt to network changes and prevent inactive entries from occupying table space, an aging
mechanism is adopted for dynamic MAC address entries. Each time a dynamic MAC address entry is
learned or created, an aging time starts. If the entry has not updated when the aging timer expires, the
device deletes the entry. If the entry has updated before the aging timer expires, the aging timer restarts.
NOTE:
A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.
MAC address table-based frame forwarding
When forwarding a frame, the device adopts the following forwarding modes based on the MAC
address table:
•
Unicast mode: If an entry is available for the destination MAC address, the device forwards the
frame out the outgoing interface indicated by the MAC address table entry.
•
Broadcast mode: If the device receives a frame with the destination address being all ones, or no
entry is available for the destination MAC address, the device broadcasts the frame to all the
interfaces except the receiving interface.
Configuring the MAC address table
The configuration tasks discussed in the following sections are all optional and can be performed in any
order.
NOTE:
•
The MAC address table can contain only Layer 2 Ethernet ports.
•
This document covers only the configuration of unicast MAC address table entries, including static,
dynamic, and destination blackhole MAC address table entries.
Configuring static, dynamic, and blackhole MAC address
table entries
To fence off MAC address spoofing attacks and improve port security, you can manually add MAC
address table entries to bind ports with MAC addresses.